AST-05: API Key Header Sent as None String on Unauthenticated Requests
Severity: MEDIUM
Affected File(s): aster/api.py:36-42
Description
Session headers set X-MBX-APIKEY unconditionally. When key=None, requests converts this to the string 'None' in the HTTP header. Every request sends X-MBX-APIKEY: None. Calling signed endpoints with secret=None crashes with AttributeError.
Vulnerable Code
self.session.headers.update({"X-MBX-APIKEY": key}) # key=None
Impact
Implementation details leaked in headers. Unhelpful error when secret is not configured.
Proof of Concept
Create API instance without key, make any request, observe 'X-MBX-APIKEY: None' header.
Recommended Fix
Only set header when key is provided:
headers = {...}
if key:
headers["X-MBX-APIKEY"] = key
Methodology: Triple-verification static analysis -- each finding verified across three independent code review passes.
Researcher: Independent Security Researcher -- Mefai Security Team
AST-05: API Key Header Sent as None String on Unauthenticated Requests
Severity: MEDIUM
Affected File(s):
aster/api.py:36-42Description
Session headers set X-MBX-APIKEY unconditionally. When key=None, requests converts this to the string 'None' in the HTTP header. Every request sends X-MBX-APIKEY: None. Calling signed endpoints with secret=None crashes with AttributeError.
Vulnerable Code
Impact
Implementation details leaked in headers. Unhelpful error when secret is not configured.
Proof of Concept
Recommended Fix
Only set header when key is provided:
headers = {...}
if key:
headers["X-MBX-APIKEY"] = key
Methodology: Triple-verification static analysis -- each finding verified across three independent code review passes.
Researcher: Independent Security Researcher -- Mefai Security Team